New Report Rates Peruvian ISPs: Who Defends Your Data?

New Report Rates Peruvian ISPs: Who Defends Your Data?

The Peruvian digital rights organization, Hiperderecho, together with the Electronic Frontier Foundation, launched ¿Quién Defiende Tus Datos? (Who Defends Your Data?) today, a report that evaluates the privacy practices of digital communication companies that Peruvians use every day. Along with similar reports published earlier this year in Colombia and Mexico, this investigation is part of a larger series ofevaluations across Latin America that is based on EFF’s annual Who Has Your Back? report and adapted for local realities and needs. The reports compare phone companies and Internet Service Providers to determine which ones stand by their users when responding to government requests for personal information.

As such, Hiperderecho has released the ¿Quién Defiende Tus Datos? report that evaluates whether Peruvian ISPs and telephone companies stand by their customers when the government knocks at their door compelling user data. From its inception, this project has had two main goals: to provide users with a clear assessment of which telecommunications companies are adopting best practices to protect their users’ privacy; and, to provide companies with guidance and recommendations on how they can improve their privacy practices.

In their report, Hiperderecho analyzed whether companies publish appropriate and easy-to-understand privacy policies on their websites and if the outlined practices are sufficient enough to inform users about how they treat government requests.

Evaluation criteria

Privacy Policy: To earn a star, a company must have published a privacy policy that is easy to understand. It should inform the reader about what data is collected from them, how long it is stored, and describe the guidelines and procedures the company has in place when an authority requests the data. Partial compliance was rewarded with half a star.

Judicial Warrant: Companies earned a star in this category if they required the government to obtain a warrant from a judge before handing over communications (either content or metadata). Compliance with this requirement for the content of communications, but not for metadata, earned a company a half star.

User notification: To earn a star in this category, companies must promise to inform their customers of a government request at the earliest moment permitted by the law. They could issue parallel notifications along with the official ones sent by the government after a surveillance measure took place through different means of communication.

Transparency: This category looked for companies publishing transparency reports about government requests for user data. To earn a full star, the report must provide useful data about how many requests have been received and complied with, including details about the type of requests, the government agencies that made the requests, and the reasons provided by the authority. Partial compliance is rewarded with a half star.

Commitment to privacy: This star recognizes companies who have challenged legislation that permits mass surveillance or surveillance that allows government access without judicial safeguards, as well as those that have publicly taken a position in favor of their users’ privacy before congress and other regulatory bodies.

The results

Results from Peruvian ISPs' privacy protections

Most of the companies have yet to earn a good evaluation in this first edition of the report, with some of them not even obtaining partial stars. As a result, telecommunications companies in Peru still have a long way to go to ensure the privacy of their users’ communications personal data. In categories like “Transparency Reports” and “User Notification Procedures,” no companies were awarded a star. In several cases, companies limited themselves to publishing privacy policies that neglected to include either what kind of data they were collecting or how long they would be storing the data.

Peru’s recent adoption of a new data protection law has forced companies to disclose their data collection practices every time they sign up new users, but the law doesn’t compel them to provide a more comprehensive evaluation of the data they collect as a by-product of the usage of the service. Hence, there is little information on how companies treat information they collect from users, like IP addresses, traffic logs, and geolocation, among others.

This report asks companies to stand with their customers by implementing best practices to the fullest extent permitted by law. However, one of its key findings is that certain legal restrictions in Peruvian national law may prevent operators from adopting internationally-recognized best practices for user notice, which are designed to empower users to defend their own privacy.

According to the Criminal Procedure Code or the rules of the national intelligence system, ISPs and mobile companies are compelled to keep government access requests confidential. Accordingly, the companies may be prevented from notifying their users upfront. However, there’s still much more that companies could do within the space of their legal obligations. Under Peruvian law, courts must notify citizens after a surveillance measure has expired and, when this happens, companies could contact them in parallel through email or text message to call their attention on the notification. This would allow citizens to exercise their right to oppose and appeal any surveillance measure previously issued by the courts.

Some regional companies have better practices in countries other than Peru. For example, most of the Mexican companies, including Telmex (a subsidiary of América Móvil), have a privacy policy published on their website. However, Claro’s website in Peru does not publish this information.

Peruvian companies still have a long way to go in protecting customers’ personal data and being transparent about who has access to it. Hiperderecho expects to release this report annually to incentivize companies to improve transparency and protect users data. By making privacy policies accessible and understandable, Peruvians will know how their personal data is used and how it is controlled by ISPs so they can make smarter consumer decisions.

Today marks the last day that the Ecuadorean prosecution has to investigate its case against Ola Bini, the Swedish free software programmer who was arrested there in April and detained for over two months without trial and without clear charges. On Thursday, the judge accepted a plea by the prosecutors...

Since EFF visited Ecuador three weeks ago, the investigation into open source developer Ola Bini has proceeded as we described then: drawn out, with little evidence of wrong-doing, but potentially compromised by acts of political theater outside the bounds of due process and a fair trial. Last week —...

It's Panama’s turn to take a closer look at the practices of its most prominent Internet Service Providers, and how their policies support their users’ privacy. IPANDETEC, the leading digital rights NGO in Panama, has launched its first "Who Defends Your Data" (¿Quién Defiende Tus Datos?) report. The survey shines...

San Francisco – A team from the Electronic Frontier Foundation (EFF) has returned from a fact-finding mission in Quito for the case of Ola Bini—a globally renowned Swedish programmer who is facing tenuous computer-crime charges in Ecuador. Bini was detained in April, as he left his home in Quito to...

Derechos Digitales, the leading digital rights organization in Chile, published its third annual Who Defends Your Data report today, in collaboration with EFF. The report assesses whether the country’s top ISPs enforce privacy policies and practices that put their users first. Kurt Opsahl, EFF’s Deputy Executive Director and General...

For decades, journalists, activists and lawyers who work on human rights issues around the world have been harassed, and even detained, by repressive and authoritarian regimes seeking to halt any assistance they provide to human rights defenders. Digital communication technology and privacy-protective tools like end-to-end encryption have made this work...

Thirty years ago today, the Chinese Communist Party used military force to suppress a peaceful pro-democracy demonstration by thousands of university students. Hundreds (some estimates go as high as thousands) of innocent protesters were killed. Every year, people aroundtheworld come together to mourn and...

For years, Xinjiang has been a testbed for the Chinese government’s novel digital and physical surveillance tactics, as well as human rights abuses. But there is still a lot that the international human rights community doesn’t know, especially when it comes to post-2016 Xinjiang. Last Wednesday, Human Rights Watch...